The corporate regulator is suing an advice company for failure to properly manage cybersecurity risk.

The NSW Supreme Court action comes after several authorised representatives of Sydney business Fortnum Private Wealth experienced breaches.  

The Australian Securities and Investments Commission alleges Fortnum failed to have adequate policies, frameworks, systems and controls in place to tackle such risks.   

It says a policy introduced in April 2021 was inadequate and was revised two years later after several cyber incidents, including an attack in which the data of almost 10,000 clients was published on the dark web. 

ASIC chair Joe Longo says inadequate cyber protections are an enforcement priority. 

“Australian financial services licensees, in particular, hold a range of sensitive and confidential information,” he added. 

“ASIC has been highlighting the cybersecurity responsibilities of companies. Fortnum’s alleged failure to adequately manage cybersecurity risks exposed the company, its representatives and their clients to an unacceptable level of risk of a cyberattack.” 

Fortnum’s ARs stored information from retail clients including identification, tax file numbers, and bank account and credit card details. ASIC says this made them “potential targets”. 

“It is incumbent on Fortnum in discharging its duties and obligations as a licensee to identify and understand the cybersecurity risks that it and its ARs faced, and to have adequate policies, frameworks, systems and controls in place to appropriately manage and mitigate those risks,” court documents say. 

ASIC says Fortnum did not require its ARs to undertake training, had no employees with expertise in cybersecurity and did not engage a consultant to help develop its policy. It allegedly had no framework to identify cybersecurity risks across its ARs.  

Its 2021 policy included a self-assessment tool, but ASIC says recommended measures were not specific or stringent enough. After six months, only 44% of principal practices had completed the assessment. “Fortnum’s frameworks did not enable it to oversee or monitor whether ARs were complying,” the regulator says. 

ASIC says cyber breaches at Fortnum ARs included a hacker accessing a Eureka employee’s email account and sending 1266 messages containing phishing links, and a breach at Wealthwise resulting in the publication of more than 200 gigabytes of data on up to 9828 clients. The email address of Prominent Financial Services was compromised; a Ford employee’s email was accessed using an overseas IP address; and fake emails were sent purporting to be from a RedThorn adviser. 

“Most of those incidents occurred after the introduction of the April 2021 policy. Fortnum did not implement any measures in light of those incidents in respect of its cybersecurity policies, frameworks, systems and controls,” ASIC says.